Capture and share the World’s moments. A simple, yet effective tagline coined by the social media platform that boasts over one billion active monthly users.

But what is it about the social network that makes it just so popular amongst, well, everyone. The aesthetic edge added from the proprietary filters? The simplicity in its design? Whatever the reason behind the social giant’s success one thing is for certain – users are hooked.
And it’s this close relationship that is allowing otherwise careful mobile users to be enticed by a dangerous and popular breed of mobile attack, social media phishing.

The rise of Instagram phishing

If you type “Instagram Phishing” into Google, you’ll be greeted with over 10 million search results teaching you how to pull off a range of attacks. The results contain everything from “how to make a convincing login page”, to “how to hack an account”.
With these resources so readily available to internet users across the globe, it’s no surprise that Wandera’s threat research team have noted a significant rise in Instagram themed mobile attacks. 
In fact, our threat research team noted a 46% increase from January to June 2017 to 2018 with “Instagram” used as an attack keyword. You can read more about the most popular keywords used in phishing attacks in this article.
Why is Instagram a workplace threat? The danger here lies in the social network’s huge reach. The mobile application is so popular that a staggering 34.8% of us have it installed on our corporate mobiles and this desire to be connected throughout the working day is putting our devices at risk.
Research shows that a mobile user is 18x more likely to be exposed to a phishing attempt on mobile than malware.  Less scrutinized channels like SMS, Slack, WhatsApp, games and social media are being employed at scale to distribute phishing links in places employees do not expect.
mobile phishing.

The corporate threat of Instagram

When it comes to mobile compliance, businesses differ vastly in their interpretation of “Acceptable Use”. While some institutions within the financial and legal sector, for example, may operate a more stern policy towards content filtering and recreational applications use, this may differ depending on your department, seniority and your role’s reliance on social applications. Therefore it’s important to understand the associated risk with interchangeably using recreational apps on a work device.
Wandera’s advanced real-time machine learning engine, MI:RIAM, is powered by mobile device data from over two billion daily inputs. The advanced technology continuously analyzes vast feeds of information to detect and respond to new insights regarding phishing sites and other potential threats.

Combined with insight from Wandera’s threat intelligence team, MI:RIAM inspects URLs to identify if they’re malicious using advanced phishing detection techniques.
MI:RIAM uncovered that the number of new phishing pages impersonating Instagram’s brand increased by 137% from the first quarter of 2017, to the first quarter of 2018.
Attacks differ vastly in shape and form, but most center around a user gaining access to their account. Either a simple password reset scam with directs them to a fake login page, or an email from “administrators” asking the user to verify their login to gain access to their account. Below is a recent example detected from within Wandera’s global network.

Tips for securing your account

  1. Never use corporate credentials for private social accounts
  2. Revoke access to third-party apps in your device settings
  3. Enable Two-Factor authentication where possible
  4. Don’t allow the app to access your location
  5. Report suspected fraudulent emails direct to Instagram

If you fall victim to a social media phishing attack, Instagram has provided additional steps for regaining access to your account which you can find here.

Protecting your fleet

No matter how hard you try to educate yourself and your team, it’s inevitable that some attempts will slip through the net. However, it’s not all doom and gloom. The only way the attacker can exfiltrate your data is if they’re able to communicate with your device.
To stay ahead of the attacker it’s imperative to have a security solution in place which is able to intercept traffic to phishing sites, stopping the threat at its source. How to protect your device fleet Wandera’s mobile threat prevention and detection technology monitors and blocks traffic in transit, blocking phishing attacks wherever they originate – including in SMS, email, applications and in the browser.
Unlike app-centric solutions, it doesn’t have to be open on the device and doesn’t rely on updates to keep users safe from the latest threats. We hope we have answered the question, “what is phishing”, but to learn more about the complex world of mobile phishing and how to defend against mobile security threats within your organization, get in touch with one of our mobile security experts.
For more information, get in contact with one of our mobility experts today.
[text-blocks id=”mobile-phishing-report-2018″]